topic Re: AD Computer not recognized in Access Roles with Machine Authentication in SASE and Remote Access

AD Computer not recognized in Access Roles with Machine Authentication

mlinzer — Tue, 24 Aug 2021 14:12:06 GMT

We have implemented machine authentication successfully on R80.40. I see the machine authenticating and the value of the Subject field in the certificate appears in the log. However, i am unable to use Access Roles that test for specific machines/groups from the Active Directory. Even though the machine is recognized, the Access Role is not matched. I have tried populating the certificate with the plain CN as well as the full DN. Nothing seems to work. I can create an access role with "All identified machines", but not with specific machines or groups. Has anyone implemented this successfully?

Thanks,

Moshe

Re: AD Computer not recognized in Access Roles with Machine Authentication

PhoneBoy — Thu, 26 Aug 2021 15:05:35 GMT

Is Remote Access configured as an identity source in your gateway object?
Also, it's possible the machine identity would need to come from your AD server in this case...I presume your client can reach the AD server(s) when connected via VPN?

Re: AD Computer not recognized in Access Roles with Machine Authentication

mlinzer — Fri, 27 Aug 2021 08:14:48 GMT

Yes, remote access is configured under Identity Sources. The clients can access the AD server.

Users and user groups are identified fine. The problem is with machine identity.

What is the recommended value for the Subject field in the Machine Certificate?